Security is only as strong as your weakest link. And, as the bad actors know, that weak link is often single factor authentication. Compromised credentials remain the primary root cause of 80% of all data breaches (VBIR). The most recent example is the Colonial Pipeline ransomware attack, which has been traced back to the company’s VPN that was protected by only a single password.
Adopting multi-factor authentication (MFA), where two or more credentials must be presented to verify user or device identity before granting access, exponentially decreases the possibility that an attack will be successful – even if passwords are compromised. Yet, many companies have remained hesitant about deploying MFA, citing concerns over increased friction, cost and complexity.
The obvious answer is that the cost, complexity and lost productivity of a data breach or ransomware attack is infinitely worse. More importantly, modern MFA is seamless and secure, using smart authenticators like mobile push, digital certificates and smart phone biometrics to provide an almost invisible layer of security. Some MFA best practices include:
- Protect valid credentials from compromise – Start with a device reputation check to establish trust in the device first to prevent the compromise of otherwise valid user credentials.
- Verify identities digitally – Let users confirm their identity from the comfort of their own couch in under a minute with a few high-resolution snaps of their government issued ID and a selfie. The pics are validated for document authenticity and to ensure the person presenting the credential is not only the person on that credential, but also a live person.
- Apply contextual awareness – Adaptive risk-based authentication provides the context you need to identify suspicious patterns so you can decide to allow, block, or challenge the user with step-up authentication.
- Realize one set of secure login credentials – Multiple login credentials frustrate users and contribute to poor password hygiene. Single Sign-on (SSO) resolves both issues with one secure login. Better yet, go passwordless!
- Remove the password – No password, no password hacks. Passwordless login options include…